Trust Matters at Mimecast

by Elizabeth Ruhl - Director, Governance, Risk and Compliance at Mimecast

Mimecast recently announced it has completed two important security tests: the Health Insurance Portability and Accountability Act (HIPAA) Security Compliance Assessment and Service Organization Control 2 Type 1 (SOC 2 Type 1) Independent Service Audit. Both third-party reports affirm the security, availability and integrity of Mimecast’s operations and applications, and reflect Mimecast’s commitment to making email safer for business.

Trust is the foundation of our business, and security, privacy and data protection are built into everything we do. This is why we regularly update and maintain certifications and audit reports, which allow us to be transparent to our customers and partners.

Transparency in reporting.
The SOC Reporting Framework allows companies to communicate how their products and services achieve the ‘Trust Principles of Confidentiality, Availability, Integrity, Privacy or Security.’ This is a meaningful way for companies to describe their internal controls to their customers, potential customers and partners through an internationally accepted independent audit. Mimecast understands the importance of these trust principles to our customers, partners, shareholders and investors. These reports are intended to meet the needs of a broad range of users that must understand internal control at a service organization as it relates to security, availability, processing integrity, confidentiality and privacy. This expands our ability to demonstrate trust, transparency and meaningful controls beyond our Information Security Management System (ISMS), already certified through ISO 27001 (information security management system) and ISO 27018 (controls for the protection of personally identifiable information in the public cloud) to the service environment provided by Mimecast to our customers.

Protecting confidential customer healthcare data.
The HIPAA Privacy, Security and Breach Notification Rules, as updated by the HIPAA Final Omnibus Rule 2 in 2013, set forth how certain entities, including most healthcare providers, must protect and secure patient information. The Health Information Technology for Economic and Clinical Health (HITECH) Act (HITECH) directly regulates Business Associates (BAs) and directly imposes the same privacy and security obligations required for Covered Entities (CEs). Mimecast is a Business Associate for several customers, and we sign Business Associate Agreements (BAAs) with those customers. This means the company has legal, regulatory and contractual obligations to protect Mimecast customer information, including electronic Protected Healthcare Information (ePHI). Mimecast’s HIPAA/HITECH Security Compliance Assessment Report is available on request to prospects that sign the appropriate NDA and to existing customers under service agreement confidentiality.

Interested in learning more? Contact us for additional information about our certifications and audit reports. 


Another Tax Year. A New Email Scam to Watch out For

by Steven Malone - Director of Security Product Management

This time, the threat is not from an African prince but your own CEO or CFO.  

The 2016 tax season has been marked again with the expected number of spammy cyberattacks – the bad guys taking advantage of the time of year to target taxpayers by pretending to be the U.S. Internal Revenue Service (IRS). In fact, the IRS reported seeing a 400 percent “…surge in phishing and malware incidents so far this tax season.” And in the UK, the same is true with warnings out about the number of spam emails claiming to be from Her Majesty’s Revenue and Customs (HMRC).

The 2016 tax season has been marked again with the new email cyberattacks
The 2016 tax season has been marked again with the new email cyberattacks

But this year things have taken a dangerous turn - we have seen a new attack being widely used that specifically targets employees within companies called CEO fraud or whaling. In response to this specific threat, the IRS has given clear warnings to HR and payroll professionals to watch out for this threat. In the UK, Action Fraud has issued a similar warning and has also seen a marked increase in reports of CEO fraud – 1000 between July 2015 and January 2016.

Mimecast’s research reflects this trend – 67% of companies we surveyed said they had seen an increase from January to March this year of whaling emails after money, and 43% saw an increase in those seeking data.

And the very bad news is this attack is working. A large number of organizations have already reported that they have been the victim of attacks that have resulted in confidential information that can be used for serious identity theft being leaked to criminals unwittingly by employees. Not to mention financial losses from fraudulent wire transfers.

Now, as other countries enter their tax season, organizations of all sizes (and their employees) can expect to also be the target for cybercriminals intent on stealing data. Employees who have access to confidential information on customers, the company or employees should be particularly vigilant.

These whaling attacks target named individuals and use email to manipulate employees to send over confidential information like tax records or personal information. Often they specifically target HR or finance professionals. The attacker pretends to be the CFO, HR director or even the CEO and uses a fake email address to make their approach look authentic. Often engaging in a number of email exchanges before making their request to build up trust.

So if you run an HR or finance team (or look after their email) now is the time to be extra careful. Ensure employees understand the threat from whaling and remind them of the importance of checking directly (and not over email as this may have been compromised) with their bosses that the information (or money) they are being asked to share is really as a result of a legitimate request from them.

Now technology can help too. Mimecast just announced the first technology service to tackle this threat. Our new service called Impersonation Protect is designed to stop these attacks – we scan all incoming email and warn employees and the IT team if it looks like it is a potential whaling attack. 

So this tax season, don’t become the victim of a well architected whaling attack. Up your guard and defenses. But remember the attackers won’t limit themselves to going after your data just once a year. Make the changes now to your processes, employee security awareness and technology to protect yourself all year round.  


Today, Technology Can Help Stop Whaling Email Attacks

by Steven Malone - Director of Security Product Management

Today we launched the world’s first service designed specifically to stop whaling (CEO fraud) attacks.

Since previewing it at the RSA Conference in March, we’ve had a lot of interest in Impersonation Protect. And, as part our commitment to continuous email security updates, Mimecast would like to announce that all Targeted Threat Protection customers will get the new service for free.

Whaling attacks are designed to trick key users, often in the finance team, into making fraudulent wire transfers or other financial transactions to cybercriminals by pretending to be the CEO or CFO in a fake email conversation. Some also target those responsible for sensitive employee data, payroll information, which could be used for identity theft or to claim fraudulent tax refunds.

These malware-less attacks have been growing around the world as cybercriminals change their attacks to try and circumvent traditional email security techniques such as anti-virus, real-time URL checking and attachment sandboxing.

Growth in whaling (CEO fraud) attacks

  • According to the FBI, whaling email scams alone were up 270% from January to August 2015. The FBI also reported business losses due to whaling of more than $1.2 billion in little over two years, and a further $800 million in the six months since August 2015.
  • A recent report from the UK City of London Police’s National Fraud Intelligence Bureau (NFIB) shows that from July 2015 until January 2016 there was a marked increase in CEO-fraud with a total of 994 reports being made to Action Fraud.
  • According to Mimecast’s own research, since January 2016 67% of firms have seen an increase in attacks designed to extort fraudulent payments and 43% saw an increase in attacks specifically asking for confidential data like HR records or tax information.

Just in the last few months, a large number of organizations have confirmed their employees have been the victim of these attacks. Many losing millions of dollars or highly sensitive data to cybercriminals.

Even the smartest employee can fall victim to these malware-less attacks. Employee education and rigorous business processes do play an important role but at Mimecast we believe smarter technology can play a larger role in identifying social-engineering attacks.

Advanced pattern recognition

The content of these messages isn’t spammy. Whaling emails are carefully socially engineered and designed to read like a real email and are highly targeted to each recipient.  With no spammy content and no attachment or link to click, it’s highly likely that other security defenses will not detect these mails as dangerous.

Mimecast can already detect traditional spoofing using frameworks like Sender Policy Framework (SPF). Other custom Mimecast policies can check for both envelope and header spoofing. To add further dedicated protection from increasingly common “domain similarity” attacks, Impersonation Protect allows detection of similar domains to a customer’s genuine domains as one of its threat indicators.

How it works

Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

  • As email passes through the Mimecast Secure Email Gateway, Impersonation Protect examines several key components of the message.
  • Impersonation Protect examines typical IOAs in the email, such as the email’s display name, domain name, domain age and the body of the message to determine if the email could be a social engineering attack, like whaling or CEO-fraud.
  • If the email fails a combination of these tests, administrators can configure Impersonation Protect to bounce the message.
  • Or, alternatively quarantine or even notify end users the email is suspicious.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.
    Impersonation Protect identifies combinations of key indicators of attack (IOA) in an email to determine if the content is likely to be suspicious, even in the absence of a URL or attachment.

 We recently explained in a little more detail how Impersonation Protect works by applying advanced pattern recognition to these malware-less emails. This new service can defend on-premises, hybrid and pure cloud email deployments including Microsoft® Exchange and Office 365™.

Previously there was little you could do to protect your organizations from whaling attacks. It largely came down to education and hoping your colleagues wouldn’t be duped by a well targeted, social engineered attack. But with Impersonation Protect we have changed that – you now have technology to protect you alongside training.

We look forward to hearing feedback on Impersonation Protect as it continues to evolve.


We should welcome the move by Obama’s administration to go after more funding – defending the nation from the growing threat of cyberattacks has to be a priority for any world government. 

The focus on more money for improving private, public and international collaboration is particularly important. The threat we face, after all, is universal and international, like the Internet itself: a threat on private companies is a threat on the economy, an attack on the public sector will impact the private. We should all hope his call is heard and acted on by Congress, too – cybersecurity of national infrastructure, and the public and private sector, is too important to be a victim of partisan politics.

The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.
The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.

2016 is an election year, so the danger is that Obama’s successor is likely to want to just build a bigger wall around whatever needs protecting, and while that might be reassuring for voters, it’s a representation of how we’ve classically thought about the security of our assets. But, it’s 2016 and the wall, perimeter, LAN and the defences we used to rely on are all DOA today. The breaches we see every day show they are clearly not protecting us well enough. We need to see a strategy rethink. Many organizations are not updating their spending patterns for cybersecurity to fit with the modern threats they face – that can be very damaging.

If you needed a letter from the President to get budget prioritized for cybersecurity projects, chances are, you’re way behind the security curve and are likely going to be spending on remediation rather than protection.

Cybersecurity has become the issue of 2015 and 2016; there’s enough evidence out there that the government, large corporations and consumers have been dramatically hurt by hacks and cybercrime. The OPM, FBI, State Department and Whitehouse hacks when combined with Sony, Target, Anthem and the many others show us that cybercriminals are making significant progress against our best traditional defences.

If you’re only now waking up to the issues of cybercrime, cyber warfare and hacking because of Obama’s political promises, then it’s likely you’re already being badly burned both organizationally and personally. Even if you don’t know it yet.

The enormity of the threat should not be new to us, should it? We’re several decades on from the invention of the first technologies that gave us viruses, Trojans and polymorphic files. We’re coming up to the fifth anniversary of the ground-zero hack for enterprises through email – the RSA Security hack of 2011 – yet we’re still seeing our corporate and personal lives affected  by cyber-nefariousness.

I’m constantly hearing from CISOs and IT Managers: “We’ve just updated our security ‘a couple of years ago’ so we’re doing just fine.” This is their defence for not changing strategy, asking their executives for additional budget or modernizing a security solution. And, this worries me – here’s why: First, because anything that ends in “doing just fine” usually means you’re not fine, or you’re about to find out the hard way. And, second, when you look at how advanced the cyber-threat landscape has become (and how quickly it moves), over the last two years, anything you added to your security stack a few months ago could  already be out of date.

So, if it was a letter from the President you needed to motivate you to deliver up-to-date protection for your network, now you have one. There should be no more excuses. Get it done. It’s your civic and corporate duty. Modernizing your cybersecurity protections, updating your processes and educating your people is a necessity you cannot delay any longer. Unless, of course, you fancy being the next organization in the headlines or explaining a breach to your bosses.